Compliance

According to the latest draft of the EU cybersecurity certification scheme for cloud services (EUCS), dated August 2023 (leaked by POLITICO), the data localisation requirement, which was heavily criticised by the industry, will now apply only to the highly critical “high+” level. Data localisation would, should the EUCS be approved as such, not apply to the category 3 (“high”) level. This might not be the end of a debate that has run wild between industry (with major cloud providers unkeen with the idea) on one side and some member states defending some level of sovereignty, such as France, Italy and Spain, and EU institutions (such as the European Data Protection Board and ENISA) on the other one.

Continue Reading Fewer Clouds on … Cloud: The EU to (Finally) Drop Most Data Localisation Requirements in the EUCS

With its private right of action and expansive scope – extending far beyond Washington state’s borders and applying to a wide swath of health- and non-health-oriented companies alike – Washington’s My Health My Data Act is poised to be more ground-shifting than any other consumer privacy law that came before it. Join Kyle Fath, Bola Shonowo and Gicel Tomimbang for a discussion of:

Continue Reading Join us on September 28 for a Webinar on Washington’s My Health My Data Act and other Consumer Health Data Regulation

Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.

Continue Reading California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

China Generative AI New Provisional Measures | Privacy World

Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy

Recently, the Cyberspace Administration of China issued new comprehensive provisional measures, which went into effect on August 15, 2023, and govern the development and use of generative AI (GAI) in China. The measures cover “GAI services” (including foreign-invested GAI services) provided within the PRC, including the text, pictures, audios, videos and other content they generate.

As many of our readers know, keeping up with new developments in the privacy landscape is sometimes like drinking from a firehose. With respect to privacy enforcement, particularly in California and Colorado, the hose was turned on June 30th and has been running all summer long. This barrage of information has left unanswered questions for many. What does the delay in enforcement of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (together, CCPA) regulations really mean? What am I required to comply with as of today? What are regulators already focusing on in their privacy enforcement efforts this summer?

Continue Reading Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

India Welcomes Landmark Data Protection Law | Privacy World

Join Us Live in Washington DC on September 19: Avoiding Litigation

On 11 August 2023, after close to a decade since its initial conception, India’s Digital Personal Data Protection Act (Act) received presidential assent, formalising the nation’s first ever comprehensive data protection law.

Definitions

There are several key definitions and references adopted in the Act, as follows:

  • “Data fiduciary” means

    • In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

    Join Us Live in Washington DC on September 19: Avoiding Litigation and Navigating Regulatory Challenges Amid Growing Privacy, Cybersecurity and

    Developing a compliant privacy and cybersecurity program is a challenging undertaking that requires balancing profitability with current enforcement and litigation risk. Join us live in our Washington DC office to hear from in-house leaders, a former FBI agent, an incident response forensic expert, world-class public policy experts and our privacy and cybersecurity professionals who help companies balance these risks on a regular basis. CLE credit will be offered.

    Date: Tuesday, September 19

    Time: 2 – 5 p.m. ET, with networking reception to follow.

    Location: Squire Patton Boggs Washington DC Office, 2550 M Street NW, Washington, DC 20037

    Register here.

    Seats are limited for this half-day event where we will dive deep, in four separate panels:

    Continue Reading Join Us Live in Washington DC on September 19: Avoiding Litigation and Navigating Regulatory Challenges Amid Growing Privacy, Cybersecurity and Artificial Intelligence Scrutiny